Atelier Tecnologico - Clusit

The Case of the Crypto-Attacks

TALOS Group - Security Intelligence and Research Group of CISCO Systems

The TALOS Group• Security Intelligence and Research Group of Cisco Systems

2

• Talos researchers create threat intelligence for Cisco security products to protect customers from both known and emerging threats

• Many sub-teams inside it: malware team, analysts, vulnerability research, developers, ...

• The Malware Team is an advanced team that focuses on malware analysis. Some of its deliverables are to produce content for malware detection across many Cisco products, as well as media outreach. I am an active member of this team.

• Vulnerability Research Team deals with Security vulnerabilities, live incidents, Security fixes and patches analysis. Some of us study exploits and release defense.


Outline

1. What is a ransomware?

2. The Crypto malware spread modality

3. What is an Exploit?

4. Cryptowall case – its dangerous features, and peculiar characteristics

5. How can I protect from CryptoWall?

6. Can I recover my encrypted files?

7. Conclusions

3TALOS Group - Security Intelligence and Research Group of CISCO Systems

What is a Ransomware

• Ransomware is a type of malware which restricts access to the

4

computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed

• Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying *

*definition from Wikipedia


The Crypto malware spread modality

1. E-mails attachments

2. Un-patched bugs in software

3. Removable drives

4. LAN Networks


What is an Exploit?

1. An exploit is a piece of software or a chunk of data that takes advantage of a bug or vulnerability in order to cause unintended behavior to occur on computer software, hardware, or something electronic (usually computerized)

2. The unintended behavior often means the execution of malicious code or the acquire of administrative privileges

3. Cryptowall uses exploits to spread the infection code inside legaldocuments (a PDF file for example), or to overcome some Windows’ protections


Exploitation results

Even a Word or a PDF Document (maybe sent as an attachment) couldpotentially contains a form of Crypto-Malware


The CryptoWall Case

1. CryptoWall is the ransomware that, together with all its variants (CryptoLocker, TorrentLocker, …), has infected a lot of Italian networks and organization (Hacker infettano i comuni - dipendenti pagano il riscatto)

2. The malware infects the target host -> communicates with the C&C server -> the server generates a RSA public/private key pair

3. Only the public key is transferred to the victim workstation.

4. The malware starts to encrypt each file found in all local disks, removable devices and remote drives

5. Finally a message is shown to the user


http://www.tomshw.it/cont/news/hacker-infettano-i-comuni-dipendenti-eroi-pagano-il-riscatto/60015/1.html


The CryptoWall Case

Its peculiar characteristics are the following:

1. 3 different versions (from the fall of 2012 till now)

2. Anti-Vm and Anti-Debug code – the malware doesn’t run if it detects a Virtual Machine

3. Usage of the TOR and I2P anonymous networks – the bad guys and the money transfer could not be tracked

4. Usage of exploits to spread itself and to gain privilege escalation

5. Mix of 32-bit and 64-bit code




How Can I protect my environment?

• To protect from Crypto ransomwares, a good AV product and firewall should be enough

• BUT the new variants of the virus can overcome even the AV, Firewall and IPS *

• A Very important step is to do a regular Backup with a professional software on an external destination (CryptoWall can even encrypt the backup archive)

13

* For the detailed technical explanation send me a mail at [email protected]


mailto:[email protected]

14

The New Security Model

BEFOREDiscoverEnforce Harden

DURINGDetect Block

Defend

AFTERScope

ContainRemediate

Network Endpoint Mobile Virtual Email & Web

ContinuousPoint-in-time

Attack Continuum

Cloud


Can I recover my files?• Theoretically the last versions of Cryptowall makes the manual decryption

of the target files IMPOSSIBLE because the private key will never been communicated to the infected host

• The first versions of CryptoLocker have used the symmetric encryption: the key used for the encryption was the same needed for the decryption. In this case a manual decryption was possible

• The infection has evolved over and over the years

• In September 2014 some researchers built a solution that leverage a weakness in the implementation of some TorrentLocker samples, but very low rate of success: http://www.ilsoftware.it/articoli.asp?tag=Esiste-una-soluzione-per-Cryptolocker_11949 -> The malware author’s then updated their code


http://www.ilsoftware.it/articoli.asp?tag=Esiste-una-soluzione-per-Cryptolocker_11949

Conclusions

16

• Ransomware attacks could be very destructive

• Following the best security practises could help in defend versus this kind of malware

• Secure your company network!

If you are interested in all the nitty-gritty details about CryptoWall and other ransomwares check our TALOS blog:

• https://blogs.cisco.com/security/talos/cryptowall-2

• https://blogs.cisco.com/security/talos/cryptowall-3-0


http://blogs.cisco.com/talos

https://blogs.cisco.com/security/talos/cryptowall-2

https://blogs.cisco.com/security/talos/cryptowall-3-0

THE ENDTHANKS FOR ATTENDING

For any questions mail me at:

[email protected]

Or follow me on Twitter:

@aall86

17

mailto:[email protected]

Technology

Atelier Tecnologico - Clusit